Publishers of technology books, eBooks, and videos for creative people

Home > Blogs > Keeping Your Joomla! Web Site Secure

Keeping Your Joomla! Web Site Secure

By  Oct 24, 2011

Topics: Web Design & Development

A Joomla! web site is no more or less secure than any other CMS or custom developed web site. All web sites are vulnerable to malicious attacks, hackers, and spammers if you don't take the necessary steps to protect them. Securing a Joomla web site is as important as it is simple, just follow the checklist outlined in this article.

Before Installing Joomla

Meeting Joomla Web Server Requirements:

The first line of defense in protecting your web site is to understand Joomla's server requirements. Don't immediately select the lowest priced hosting provider or hosting that promises “unlimited” bandwidth or space. Do your research and find a reliable, Joomla-friendly hosting company.

Verify your web server meets the following recommended requirements:

Joomla 1.7+

  • PHP 5.3+
  • MySQL 5.0.4+
  • Apache 2.x (with mod_mysql, mod_xml, and mod_zlib)
Joomla 1.5
  • PHP 5.2+
  • MySQL 4.1.x+
  • Apache 2.x+ (with mod_mysql, mod_xml, and mod_zlib)
Windows Servers:
  • Microsoft IIS 7
For a complete list of recommended settings and security requirements see:

During Joomla installation:

  • Finish the installation process immediately after uploading Joomla to your web server.

As soon as you upload Joomla to your web server, it is ready to start the Joomla installation wizard. Anyone browsing to your site will see the installation wizard until you have completed the full installation process.

  • Do not enable the FTP layer.

The FTP layer allows Joomla to read, write, and execute scripts from poorly designed 3rd-party extensions or if your web server is configured incorrectly. You should never have this enabled on a live site.

  • Use a custom database table prefix.

In Joomla 1.5 you can change the default prefix of jos_ during installation. For Joomla 1.7 and above a random prefix is automatically generated for you (Figure 1).

After Installation

Protect the Super User (Admin) Account

During installation the first Super User (Admin) account is created. In Joomla 1.5 the user name defaults to admin. In Joomla 1.7 you can create your own user name, however, the “real name” associated with both versions of the Super User account is always Super User or Super Admin. Additionally, the Super User account is assigned a specific ID number by the system. In Joomla 1.5 the ID number is 62 or 63. In Joomla 1.7 and higher the ID number is 43 (Figure 2).

This information is common knowledge however by changing the following you protect unwanted access to your Super User account(s).

  • Change the Super User account name.
  • Change the Super User username (Joomla 1.5 only).
  • Change the ID number associated with the Super User account.
  • Never have more than 3 user accounts assigned Super User privileges.

To change the Super User ID number, simply create a new User through the User Manager and then delete the original Super User account. You will need to log out and then log back in with the new account before you can delete the first Super User account. A secure Super User account contains your real name and a new ID number that differs from the default assigned by Joomla (Figure 3).

Keep Joomla Directories and Files Secure

On a live web site your Joomla directories should be set to 755 and files should be 644. This allows Joomla, with the proper permissions, to Read, Write, and Execute files correctly. If an extension you use will not work or install properly, or asks you to CHMOD your file permissions to 777 in order to function, either your web server is configured improperly for Joomla privileges or it is a bad extension and you should not use it. Having directories and files with 777 privileges is a huge security risk!

Update Joomla Regularly with Patch Releases

Everyday hackers create new ways to attack sites. Developers and testers watch for vulnerabilities and new attack scripts. Keeping Joomla up-to-date keeps Joomla secure. The same goes with any 3rd-party extensions you are using.

Most patch releases and updates contain security and bug fixes. Just like using the most currently supported PHP and MySQL versions, you need to keep Joomla and each of your Joomla extensions current.

For Joomla 1.5 you will need to perform updates on your web server or through an FTP program. For Joomla 1.7 and higher, updates are now handled with a single click through the Extension Manager.

Lock Down User Registrations

Social interaction, allowing user registration, interaction through blog or article comments, and newsletter subscriptions are common place on today’s web sites. Along with allowing user interaction on your site comes spam scripts just waiting to exploit your content. To protect your site from these exploits you need to lock down and ensure that real people are registering and using your site.

Joomla does not currently have a built in mechanism to protect you from content spammers, so you should look into installing 3rd-party extensions such as ReCaptcha or Akismet. These extensions require input from a real person and help to keep spam scripts from creating dozens of user registrations on your site.

If you use a 3rd-party social extensions such as Community Builder or JomSocial, these extensions have user registration protection built in.

Clean House - Keep Your Joomla Site Tidy

Although not as big a security risk as the other items I have listed here, it is important that you keep your Joomla cache, temp directory, and database tables cleaned up. It is not uncommon to try out a few different templates or 3rd-party extensions that you may later decide not to use. If you uninstall these extensions, not all of them remove the database tables left behind. To keep your Joomla site optimized and running clean:

  • Clean the Joomla cache regularly by using the Site --> Maintenance menu.
  • Delete files left behind in your temp directory.
  • Use PHPMyAdmin to remove unused database tables left by extensions you have uninstalled.
  • Uninstall Site templates you are not going to use on the front end of the site.

Note: I uninstall all Site templates except the one I am using and the Beez20 default template. Keeping the Beez20 default template helps you to troubleshoot Joomla template issues. Should you be faced with a white screen, you can change back to the default Site template to see if your problem is a template error.

Perform Regular Backups

The most important thing you can do is schedule regular backups of your Joomla site. Sign-up for backups with your hosting provider and perform physical backups yourself. Then keep a copy of your most recent site backup on your local computer. Should anything go wrong with your Joomla site you can immediately revert to a backup.

Following these simple steps will keep your Joomla site secure and protected. To make it even easier to perform the tasks mentioned in this article, I highly recommend you download the Admin Tools and Akeeba Backup extensions from Akeeba. These two free extensions contain all you need to secure and maintain your Joomla site. For more information or to download the Akeeba extensions, visit